When Does Comparison Shopping Become a Retail Bot Threat?

Comparison shopping is a proven and accepted practice within the retail industry. Pre-internet era versions meant shoppers would physically visit the retailers to get their “bottom line” price. Early online comparison shopping meant you could use search to find the desired product and compare vendors from the comfort of your own home, only physically venturing to the brick-and-mortar location when ready to buy.

The evolution continued with retail automation taking some of the comparison efforts away through “price match” features. The goal of these features is to ensure the vendor makes the sale, regardless of price, and given that the intent of the consumer is to get the best price, the result is a positive one for both parties.

How Retail Bots Are Changing Comparison Shopping

At the same time, retailer pricing strategies and tools have evolved using these same techniques, albeit in a formalized, legitimate manner with the intent of ensuring their products are priced accurately. The opportunity for automation and add-on services has spawned a new generation of tools focusing on pricing intelligence, with vendors that are outwardly focused on helping retailers gain and maintain a competitive edge.

What Is Search Abuse in Ecommerce?

Recently, one of our customers discovered some of the same search and comparison techniques used in an automated, yet malicious manner. This raises the question of when does the age-old practice of comparison shopping become malicious? Here is what we found.

• Search Abuse: Using automation to find a retail item for purchase is common practice. A search for sneakerbot, NikeBot, or Ticketbot will not only allow you to find a bot to automate finding the high demand item you desire, but it may also help you purchase them.
  Automated search bots found in our retail customer environments exhibited the following characteristics:
  • The search queries targeted every single web application URI across all of their locations.
  • The search patterns were too perfect and too fast to be human.
  • The queries were distributed across a wide range of geographic locations that didn’t match the locations of the search queries themselves.
  • Many of the queried items did not exist, placing a significant strain on the retailer’s infrastructure.

Taken collectively, the findings described provided strong evidence that the intent of the search was malicious.

How Automated Content Scraping Becomes Malicious

• Content Scraping: As with search, the practice of copying web content is an accepted one, as evidenced by content aggregators in the hospitality/travel and healthcare industries. The scraping activity observed during our investigation exhibited the following characteristics:
  • The automation targeted URIs that did not exist.
  • Multiple masking/evasive techniques were used to disguise the attack, including browser spoofing and forgery along with sophisticated user agent rotation.
  • As with search abuse, some of the items scraped did not exist.

Again, collectively the intent of these activities appears to be malicious.

Jumping the Queue with Malicious Shopping Bots

Flash sales, online ticket sales, and other online product launches such as limited-edition sneakers generate excitement and customer demand and naturally have become a target for attack. Malicious bots can be programmed to swarm websites, completing purchases much faster than a human could, causing inventory issues, infrastructure strain, and customer frustration. They often hide behind residential proxies, so traditional IP-based mitigation methods won’t work without the risk of blocking legitimate customers. Read more about these types of bots in our flash sales blog.

Why Retailers Need Better Context to Identify Bad Bots

Online interactions often lack critical context. Emails are easily misinterpreted, instant messages and social media posts even more so. Even further removed and lacking in context are search and browsing activity. In retail environments, where margins are razor-thin, and the actual intent of the transaction is unknown, the decision to allow will be more common than deny. However, with tools that can provide added context about the activity intent, decisions to allow or deny can be made more confidently.

Agentic AI Will Change Online Retail

The advent of agentic AI is likely to bring about dramatic changes to online retail. Agents will be able to act on behalf of users and attackers, making autonomous decisions and even buying products without user intervention. Retailers will need security solutions that can accurately determine human from synthetic (bot or agent) traffic, and good from bad based on intent.

Learn More About Ecommerce Bot Threats and Solutions

Ready to talk about your business case and how Cequence can help? We’ve partnered with some of the largest, most well-known retail brands and helped to eliminate bad bots without affecting legitimate traffic, saving revenue, infrastructure costs, and brand loyalty. Contact us to learn more.